Last time in our how to avoid tech security and privacy risks, we talked about the lockscreen and passcodes. As we continue investigating how we can better lock down our devices, finances, and lives, there’s one more item in this category that we need to acknowledge. Two factor authentication. It’s a way of making money cards and our apps more secure, however that added security can be a double edged sword.
Two Factor Authentication
Two factor authentication has the potential of making thieves work harder to gain your info and money. But it also adds a layer of personal inconvenience that some may find unacceptable. Whether it’s a physical credit or debit card or a mobile device, a second something has to be present.
It’s been pointed out that two factor has weaknesses. I’ll agree there have been a variety of them, along with some inconveniences. One of the biggest problems is either switching or losing the device used for the secondary authentication. If you know you’re moving to a new device, Evernote, Lastpass, Google, Facebook, Twitter, and Dropbox (among others) all have settings places to add the initial device or switch to the new one. They also have ways to access your accounts if you lose that secondary device.
Another weakness is that the two most common ways of getting one time authentication codes, SMS and email, are both insecure themselves. Email can be encrypted, but only through matching email clients. But most of us aren’t consistently in situations where that might be an issue.
TwoFactorAuth.org is an online project that is a growing categorized listing of the places which do or don’t off er two factor authentication. It’s a great starting point. Then, you find out which sites and companies support it, how, and what procedures they have to access your account if the second form of authentication is lost. Those are all important things to know. And for many, it may be good reason to go slow.
It seems like a lot involved to set up and use each two factor authentication. For some, setting up two factor authentication and using it for the first time can become overwhelming when done all at once. Particularly if you have info or notifications from any accounts going to more than one device. It might be easier, at least at first, to pick your most important accounts and sites and set up two or three to get used to the one time authentication codes, etc. But we all want the added security this can give.
We talked previously about using a password manager, and there are several good reasons to. Remember the parameters we suggested for the lockscreen passcodes? That goes for sites and accounts, too.
- Use a mixture of upper and lower case letters, numbers, and miscellaneous characters.
- As much as possible, avoid real words.
- Don’t use dates or words of things known to be connected with you. No birthdays, pet names, etc.
- The longer, the better.
- Besides the lockscreen passcode tips mentioned in those last four items, there’s more. Each site or account should have a unique passcode. That, potentially, could be a lot of passcodes.
- Google suggests periodically changing your login passcodes. All of them. They don’t all need to be changed at once, but they should be changed.
All of that makes a password manager essential. Which one is right for you depends on what about it meets your priorities. My particular favorite is keepass2. It’s free, open source, uses strong encryption, and is easy to use. There are versions for Windows, OS X, a variety of linux distributions, Android, iOS, Windows Phone, and Blackberry 10 — plus a thumb drive portable version. The latest version adds hash sums and OpenPGP signatures for integrity checking. And it is easy to use. We’ll discuss some others in a future post.
Cloud Storage and Backup
We’ll finish by hitting a question I was recently asked. Someone with a new smartphone on a (to them) new platform asked about using the cloud for sync and backup. And pretty much of consumer grade cloud computing is actually backup and sync. Anyway, she asked about the safety and security of using the cloud. So, let’s take a look.
We’ve all seen the news about ransomware, patient or client records stolen, etc. That can seem pretty scary, but think about it. It’s the big guns like banking and hospitals that have the number of records, the kind of information, and the finances to make it all worthwhile for hackers. Your Dropbox account or my OneDrive account isn’t high on anyone’s priority list, except ours.
Many experts suggest both local and cloud backup and sync. For portable devices (phones and tablets), that means backing up to a computer and also to the cloud. For computers, again there’s cloud backup, but add to that a local backup on an external drive. Neither form of backup is expensive, anymore. Many of the cloud backup sites do have the two factor authentication we discussed above as an option. And, if you already use encryption on your files, that’s an extra layer of protection. There are a lot of backup software options, so doing both forms still doesn’t have to be an expensive deal. By doing both, either one can fail to work (hard disk failure or no connectivity) and there’s still the other to maintain smooth sailing.
One final note. I recently saw a piece on Android security that suggested the user turn off cloud sync because law enforcement could force Google to give them access to our data. For the average consumer, that isn’t an issue. So for most of us, that’s a pretty silly argument. For those who might have a problem with that, they’re already avoiding anything that would include possible law enforcement access.
We’ll have more next time, including some thoughts on viruses and malware. Are you still keeping the bad guys at bay?Source: Lifehacker